Answers: Layer 3 Switching 2

certskills
By certskills September 7, 2016 09:10

This lab asks you to configure layer 3 switching. Along the way, you get a pretty good review of other LAN switching config basics as well. By Config Lab standards, this lab is long enough to forget what the lab asked you to do before you finish creating your own configurations, so keep the lab post open while you work. As usual, this answer post lists my opinion about the answer, plus some comments as to why. Enjoy!

 

Answers

Figure 1: Topology in Which to Add new IP Phones to Voice VLAN 100

 

Example 1: Dist1 Config

 

Example 2: Dist2 Config

 

Example 3: Access1 Config

 

Example 4: Access2 Config

 

 

Commentary

Layer 3 switching has become the preferred method for layer 3 forwarding in LANs as compared with using routers. Layer 3 switching relies of LAN switching hardware that often performs both layer 2 and layer 3 forwarding at higher capacities (more messages per second) than comparable routers. Also, using layer 3 switches instead of routers avoids having to use the Router-on-a-Stick method required for routers, which sends packets over a link to a router and then back out that same physical link. As a result, many campus and data center networks are built with switches only, with routers sitting only at the edge of the WAN.

With this lab you were tasked with configuring switches as both layer 2 and layer 3, the access switches will utilize only their layer 2 features including their ability to handle a VoIP phone and a PC on the same switch port while their distribution counterparts will use both their layer 2 and layer 3 features and act as gateways for the attached PCs and VoIP phones.

Access Switch Configuration

To begin the discussion first consider access switch Access1. Access1 has three different interfaces, two of will be access ports that each connect to a phone and PC. The third interface will be a trunk port that connects back to the Dist1 switch. (Note that switch Access2 has the same basic requirements, just with different VLANs.)

Still focusing on switch Access1, to create the three VLANs use the vlan 10, vlan 20 and vlan 100 commands. (Alternately, create all three at once using the vlan 10,20,100 command as shown in Example 3.)

Next, still on Access1, you need to configure both the data and voice VLAN on ports G0/2 and G0/3. On G0/2, with its data VLAN 10, configure the switchport access vlan 10 to define the data VLAN, and then the switchport voice vlan 100 command to define the voice VLAN used by the phone. Similarly, on port G0/3, configure VLAN 20 as the data VLAN with the switchport access vlan 20 command, and that same voice VLAN with the switchport voice vlan 100 command.

Finally, even still on switch Access1, configure interface GigabitEthernet 0/1 as a trunk. To do that, use the switchport mode trunk command.

Switch Access2 needs the same configuration details, just with different VLAN numbers; refer to Example 4 for details.

Distribution Switch Configuration

The distribution switch configuration is a bit more complex as it uses trunks, access ports and layer 3 VLAN interfaces.

First, just sit back and think about the VLANs that the two distribution switches must configure. First, assuming that VTP transparent mode is used, the VLANs must be configured on each switch (that is, they will not be learned with VTP). Each distribution switch must know of VLAN 500, used on the access link between the two distribution switches. Then each distribution switches must know about the access VLANs used on the connected access switch, but not the opposite access switch. Table 1 lists the VLANs that each distribution switch must know and for which each switch will need a VLAN interface so it can route packets for the subnets on those VLANs.

VLAN Purpose Subnet is Routed by Dist1? Subnet is Routed by Dist2?
10 Data VLAN on Access1 Yes No
20 Data VLAN on Access1 Yes No
100 Voice VLAN on Access1 Yes No
30 Data VLAN on Access2 No Yes
40 Data VLAN on Access2 No Yes
200 Voice VLAN on Access2 No Yes
500 Link between Dist1 and Dist2 Yes Yes

 

Table 1: VLANs and VLAN Interfaces that Dist1 and Dist2 Need to Support

 

The table spells out the details of the vlan and interface vlan command that both Dist1 and Dist2 need to configure and support. Both will need to configure four VLANs, as follows:

  • Dist1: vlan 10, vlan 20, vlan 100 and vlan 500 commands
  • Dist2: vlan 30, vlan 40, vlan 200 and vlan 500 commands

 

Additionally, each distribution switch needs a matching interface vlan vlan-id command. Then for each VLAN interface (four on each switch in this case), configure an IP address per the figure (for instance, ip address 172.16.1.1 255.255.255.192), and enable the interface (no shutdown). Examples 1 and 2 show those details.

Finally, each of the two distribution switches must also enable layer 3 switching. On some models of switches, the switch first requires that the switching ASIC be enabled to support IPv4 routing with a command like the sdm prefer command, followed by a reload exec command. (This lab does not show that part of the configuration, assuming that you are using a switch that is layer 3 capable by default.) The switch also needs to have IPv4 routing enabled, which requires the ip routing global configuration command. (That command is listed in the configuration in both Example 1 and Example 2.)

To configure interface GigabitEthernet0/1 into VLAN 500 use the switchport access vlan 500 command. To configure interface GigabitEthernet0/2 as a trunk using 802.1q encapsulation use the following commands: switchport trunk encapsulation dot1q and switchport mode trunk. Next you need to configure a VLAN interface for the four configured VLANs. To configure  the interface for VLAN 10 use the interface vlan 10 command, to configure its IP address use the ip address 172.16.1.1 255.255.255.192 command. To configure the interface for VLAN 20 use the interface vlan 20 command, to configure its IP address use the ip address 172.16.1.65 255.255.255.192 command. To configure the interface for VLAN 100 use the interface vlan 100 command, to configure its IP address use the ip address 100.100.100.1 255.255.255.0 command.  To configure the interface for VLAN 500 use the interface vlan 500 command, to configure its IP address use the ip address 200.200.200.1 255.255.255.0 command.

Dist2 has two different interfaces, one of its interfaces will be an access port that connects to Dist1 and the other will be a trunk port that connects back to the Access2 switch. To create the four VLANs use the vlan 30, vlan 40, vlan 200 and vlan 50 commands. To configure interface GigabitEthernet0/1 into VLAN 500 use the switchport access vlan 500 command. To configure interface GigabitEthernet0/2 as a trunk using 802.1q encapsulation use the following commands: switchport trunk encapsulation dot1q and switchport mode trunk. Next you need to configure a VLAN interface for the four configured VLANs. To configure  the interface for VLAN 30 use the interface vlan 30 command, to configure its IP address use the ip address 172.16.1.129 255.255.255.192 command. To configure the interface for VLAN 40 use the interface vlan 40 command, to configure its IP address use the ip address 172.16.1.193 255.255.255.192 command. To configure the interface for VLAN 200 use the interface vlan 200 command, to configure its IP address use the ip address 100.100.200.1 255.255.255.0 command. To configure the interface for VLAN 500 use the interface vlan 500 command, to configure its IP address use the ip address 200.200.200.6 255.255.255.0 command.

IPv6 Standard ACL 1
Answers: IPv6 Standard ACL 1
certskills
By certskills September 7, 2016 09:10
Write a comment

28 Comments

  1. Farris October 19, 03:48

    Hi, Wendell. How do you find the ip addresses of vlan 100 and 200? They are not shown in the question.

    Reply to this comment
    • CCENTSkills October 19, 08:14

      Hi Farris.
      Well, short version is that I made them up, meant to document them so you’d know, and left those out. So I just updated the figure to include the subnets to match VLANs 100 and 200. The other instructions to use the lowest IP addresses in each subnet should tell you the rest.

      Also note that I fixed a typo in the figure as well: there was a mention of VLAN 20 on the lower right of the figure, but it should have been VLAN 40. Should be all good now.

      Thanks for asking,
      Wendell

      Reply to this comment
      • CCENTSkills October 19, 08:16

        Actually, the figure shows the specific IP address as well – no calculation of the lowest IP address needed. Got ahead of myself. 🙂
        W

        Reply to this comment
  2. Kevin October 25, 21:45

    Hi Wendell,

    Unless I’m missing something, it looks like you might need to correct the diagram.
    It lists in both the answer, and the explanation that the prefix mask for VLANs 100 and 200 is /24. However in the diagram, it’s pictured as having a prefix mask of /29.

    Thanks,
    Kevin

    Reply to this comment
    • CCENTSkills October 27, 20:16

      Hey Kevin,
      Well, 2 for 2 on this one so far. Yep, I agreed with you Kevin. For a fix, I did as you suggested, and kept the mask at /24 for VLANs 100 and 200 because they have phones in them, and a /29 wouldn’t have left many addresses. Thanks for the heads up.
      Wendell

      Reply to this comment
  3. Nihlus February 22, 05:44

    Hi Wendell
    Your books are perfect and these labs are just awesome, but here is a challenging question for you:

    With the above setting used inside the PacketTracer7.0 lab on Dist1 switch I’m getting this:

    %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet0/1 (1), with Dist2 GigabitEthernet0/1 (500).

    And on Dist2:
    %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet0/1 (1), with Dist1 GigabitEthernet0/1 (500).

    However everything works.

    With a trunk between Dist switches everything works without errors:

    interface GigabitEthernet0/1
    switchport trunk encapsulation dot1q
    switchport mode trunk

    Am I missing something? Or maybe the PT is acting weird?

    Many thanks

    Reply to this comment
    • CCENTSkills February 24, 07:57

      Hi Nihlus,
      Thanks! Glad you like the books.
      On your question… that’s a normal reaction. CDP will notice when the native VLAN setting on opposite ends of a link is different, and issue that log message. I’d say PT is acting like real gear in this case. Is it possible that when you’re seeing those messages, you had configured one side to trunk, but not the other? I think if you had configured both DIST1 and DIST2 as shown above, and didn’t have any other pre-existing config on those interfaces, that they would not trunk, and CDP would not cause those messages (at least on real gear). Hope this helps…
      Wendell

      Reply to this comment
      • Nihlus March 4, 12:04

        hello,
        real gear have finally arrived and everything seems normal there.

        thank you

        Reply to this comment
      • Bav August 12, 14:44

        Hi Wendell – I’ve not done this lab yet but it looks very similar to the previous one and I had the above native vlan mismatch issue too. Both ends of the link are statically configured as access so I’m not sure why this is happening.

        Are you able to try this out in PT?

        Reply to this comment
        • CCENTSkills August 15, 16:35

          Hi Bav,
          No, I haven’t. I don’t spend time testing on PT. It’s a black hole to start testing other people’s simulators. 🙂
          Sorry about that,
          Wendell

          Reply to this comment
          • Marcelo November 22, 00:02

            Hi Wendell, you don’t have idea how these blogs are helping to fully understand all the different topics for the certification I’m pursuing. Thanks a lot for helping us to improve.

            I have the same message about Vlan mismatch, and I know this problem is “eliminated” by disabling CDP, but I want to know the reasons abouth this message. Just in case, I configured both sides of the link Dist1-Dist2 as access ports and belonging in vlan 500.

            I have a theory about this issue and I want please you tell me if I’m right or wrong: given that both sides of the link are access ports of a different vlan that the usual native vlan 1 (500 in this case), the switch that receives the cdp message confuses, because it doesn’t know what vlan is the native if 1 or 500 (if the link would be a trunk, there wouldn’t be a problem, because vlan 500 had a tag). I’m right in my assumption?

      • MarceloV November 22, 00:01

        Hi Wendell, you don’t have idea how these blogs are helping to fully understand all the different topics for the certification I’m pursuing.
        I have the same message about Vlan mismatch, and I know this problem is “eliminated” by disabling CDP, but I want to know the reasons abouth this message. Just in case, I configured both sides of the link Dist1-Dist2 as access ports and belonging in vlan 500.

        I have a theory about this issue and I want please you tell me if I’m right or wrong: given that both sides of the link are access ports of a different vlan that the usual native vlan 1 (500 in this case), the switch that receives the cdp message confuses, because it doesn’t know what vlan is the native if 1 or 500 (if the link would be a trunk, there wouldn’t be a problem, because vlan 500 had a tag). I’m right in my assumption? Please, help me to clarify this to understand well these topics.

        Thanks.

        Reply to this comment
        • CCENTSkills November 22, 13:39

          Hi Marcelo,
          Thanks for the note – glad you’re enjoying the blog content!

          On your question, you state that you make the interfaces be access ports. In that case, the native VLAN setting does not matter, and no frames will have trunking headers added, because neither switch is trunking. So, maybe I’m misunderstanding your comment.

          As access ports, they are assigned an access VLAN, which defaults to VLAN 1. That’s a different concept and setting than the native VLAN, which also defaults to VLAN 1. So when we use a scenario in which both switches are correctly operating with their ports as access ports, the native VLANs should not matter to the operation of the link. I don’t remember testing that case to find out if CDP would still give that “native VLAN mismatch” message (assuming you had set the native VLAN numbers to different values).
          Did I happen to cover your idea somewhere in here? 🙂
          Wendell

          Reply to this comment
          • Marcelo November 23, 20:05

            About my comment, I was trying to understand the reasons behind that cdp message “native vlan mismatch”, after setting both ends of the link between the switches as access ports of vlan 500. So I though that was something related to vlan access ports & native vlans, but your comment helped to understand a little more that problem and my confusion.

            Thanks a lot. Anyway, all the pings work perfectly with your directions to configure this lab.

    • sYs December 11, 10:48

      The logs already tell you that both end have different VLANs configuration. One with the native vlan of 1 and the other with VLAN 500.

      %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet0/1 (1), with Dist2 GigabitEthernet0/1 (500).

      And on Dist2:
      %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet0/1 (1), with Dist1 GigabitEthernet0/1 (500).

      Modified logs just for perspective:

      %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet0/1 (Native VLAN 1), with Dist2 GigabitEthernet0/1 (VLAN 500).

      And on Dist2:
      %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet0/1 (Native VLAN 1), with Dist1 GigabitEthernet0/1 (VLAN 500).

      Reply to this comment
  4. DC77 April 4, 16:52

    Good Evening Wendell,

    Really enjoy the books and the labs.

    Have a quick question about how to identify a layer 3 switch. Can the switch be identified via the type for example a Cisco 2950 or does depend on the IOS version that is loaded on the switch?

    Thanks,

    DC

    Reply to this comment
    • CCENTSkills April 5, 06:38

      Hello DC77,
      Thanks! Glad you like the study tools.
      Unfortunately, the answer takes digging. For instance, just from memory, I can’t recall a 2950 model that had any layer 3 switching capabilities. Some 2960’s do, and yes it’s partially related to IOS uses between a few options. It also depends on the model of 2960 – I recall the first 2960s came out maybe around 2003? 2004? And there have been many entire new series inside the 2960 lines, with increasing capabilities for layer 3 switching, with IOS requirements. All the layer 3 switching stuff is usually disabled by default, and you have to config the “sdm prefer” command or similar to enable L3.
      So, a good place to check is the Cisco Feature Navigator (cisco.com/go/cfn). Pick the model you’re interested in, look for features for layer 3 switching, maybe for IP routing protocols, and find the IOS that you need. Worth time playing if you haven’t used it.
      Wendell

      Reply to this comment
  5. Paul B May 1, 15:29

    Question about the answers in this exercise versus the earlier Layer 3 switching exercise.
    In cl149 (Layer 3 Switching 1) you included a couple options on the distribution switches in the example section that I am not seeing here. You talk about them in the commentary, and I just don’t see them in the configs in example 1 (dist1) and 2 (dist2) –
    – ip routing
    – no shutdown (on the vlan interfaces)

    Thanks!
    Paul

    Reply to this comment
    • CCENTSkills May 4, 08:04

      Hey Paul,
      Yep, sometimes I struggle in these blog posts on drawing the line between being detailed vs just focusing on the major topic in a lab. In this case, I left those smaller details out. I did just add them back. I put “ip routing” into the problem statement as a pre-configured command, and the “no shut” in the answers. Thanks for the heads up.

      Reply to this comment
  6. LavaDragon6 December 1, 08:19

    HI, I’m going for my CCENT pretty soon! i jest created this in packet tracer, a got a lout out of this man, thanks !!

    Reply to this comment
  7. 4lban October 12, 20:11

    Hi Wendell,
    Can we assign IP addresses (.1 and .6) in local interfaces G0/1 connecting distributing L3 switches but NOT assigning these IP addresess in VLAN 500 interfaces. Does it work this way ?

    Reply to this comment
    • CCENTSkills October 24, 10:42

      4lban,
      You can if you make the interfaces on the distribution switches be “routed” interfaces instead of “switched” interfaces. To do so, configure “no switchport” interface subcommands on both. On a layer 3 switch, that makes the physical interfaces act like ethernet ports on a router rather than a switch. Then the IP address config would be via interface subcommands, and the interfaces would not be associated with a particular VLAN.
      Wendell

      Reply to this comment
  8. Winsen December 4, 21:41

    Hi Wendell,

    For the link between Layer 3 switch (Dist1 and Dist2) why switchport access is used instead of switchport trunk mode? Don’t we need vlan tagging at that port (layer 3 switch port) to communicate across network and vlans?

    Reply to this comment
    • CCENTSkills December 13, 13:10

      Hi Winsen,
      The link between the two layer 3 switches need to support just a single VLAN, so we used an access link in this case.

      It might help to think of the distribution switches as routers because of the layer 3 action. Think of them as routers, and the link between them as an Ethernet WAN link. Routers would not receive a frame from an access switch, say in VLAN 10, and then make a L2 switching decision to forward the L2 frame to the other distribution switch. Instead, it would be a routing decision/action – stripping the data link frame, making an IP forwarding decision, adding a new Ethernet header, and then forwarding. That forwarding link just needs to support sending those frames in the subnet between the distribution switches – so a single VLAN is needed.

      Hope this helps,
      Wendell

      Reply to this comment
  9. Paul July 24, 19:03

    Hi Wendell,
    Why create vlan 500 and assign it to the access link between the distribution switches? Couldn’t a native vlan be used here?

    Reply to this comment
    • certskills Author July 26, 16:06

      Hey Paul,
      For your first question, we chose VLAN 500 because the design needed a VLAN to use. The 500 was somewhat arbitrary – could have been any number. For your second question, sure, we could have made the lab require VLAN 500 to also be the native VLAN on that trunk. That wasn’t really the point, and I see no advantage to doing so, but sure that’d be a reasonable variation to configure.
      Hope this helps,
      Wendell

      Reply to this comment
View comments

Write a comment

Comment; Identify w/ Social Media or Email

Subscribe

Subscribe to our mailing list and get interesting stuff and updates to your email inbox.

Thank you for subscribing.

Something went wrong.

Search

Categories